1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 19:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
Size

164KB
MD5

87db0b66e1a8eff4148bbd8028aff4d0
SHA1

68f5ea41e2c18f6abc34258886f8cd405b9dfb4f
SHA256

1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8
SHA512

45ed99a1b9c5bd624833d5cdbe333e6e881a033ea50b4709c5e22f63fa2a2ec4601c0d64cad24f1579abb381af79ddd63154c3e5845044f8b592aef062639f69
SSDEEP

1536:V7Zf/FAxTWY1++PJHJXA/OsIZfzc3/Q8OyZ2FdldJTWn1++PJHJXA/OsIZfzc3/S:fnyiQSonyZ2FdldtQSonyZ2Fdldz

Score

9^/10

ransomware upx

Malware Config

Signatures

Renames multiple (4365) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1452-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0006000000022f42-2.dat	upx
behavioral2/files/0x0008000000022970-6.dat	upx
behavioral2/memory/1452-1522-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.ReaderWriter.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.dll.tmp	1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe

C:\Users\Admin\AppData\Local\Temp\1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe
"C:\Users\Admin\AppData\Local\Temp\1cfd1349c78a9ecd8998139f30876c8b7cffd7be052d0c165694782dc9239eb8.exe"
1⤵
- Drops file in Program Files directory
PID:1452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

Filesize
164KB

MD5
1be4e5823f46bd1c680b720ac2872fe2

SHA1
c12e44b94de6bf387f2c918aef818a71840834e5

SHA256
db88ce7f42a65024f9c8d37db6c096c9db5f01040138647f5685f8b37cace02a

SHA512
898dd18fe49abf509a8fc00f6f3b0dee1339a76a75a2e9af931979b4abcdbd52c96690a22865bf98641f607416cf4c0fca87f5cb9da3045b3cb7d88588eba7e6

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
263KB

MD5
e63b50549f6ffa5815466d1edd784f15

SHA1
f43d1f2988f7a79ea2bf4f21bec10ab438d1ba33

SHA256
99b3f9e7e4b64d8e0532d2e7974904ff18b804645dce674068ba5a76945b5b5d

SHA512
43c3bfb1027456631fb279f6105f50d865aace3dce127aa44bcc8a16bcca0dc2b302443be7e92746bc3da2bc37c2f7c93d86d0f43f137055b4594e031f92a085

Download Submit
memory/1452-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1452-1522-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads